Point-of-Sale Systems easy Target for Hackers

Great article on the Threat Post yesterday that really hit close to home. According to the article, Point-of-Sale (POS) systems are becoming a favorite target of hackers, even over online e-commerce sites.

The reason? Magnetic strip information. Hacking a website may reveal credit card number and expiration data but not the magnetic strip data:

“But when magnetic strip data is not available criminals are limited to card-not-present fraud; they can only use the data they obtain from e-commerce attacks against other e-commerce or card-not-present businesses. E-commerce is most often not the primary target in large-scale payment fraud — the data just isn’t as valuable,”

Trustwave SpiderLabs Unit, an advanced security team that performs penetration testing and incident response, stated in a 2010 report that of 220 security breaches investigated last year, 75% were POS systems. And for the majority of these incidents, poor authentication practices were the culprit:

“For instance, our investigations often uncover deficiencies in regards to basic security controls, such as the use of default passwords and single-factor remote access solutions. In 87% of POS breach cases, third party integrators used some form of default credentials with either remote access systems or at the operating systems layer. Businesses should work with their third party vendors to help ensure non-functional security requirements are part of the implementation and maintenance agreements,” the SpiderLabs Global Security Report 2011 says.

This really makes sense when you think of it. Online systems are slowly becoming better at protecting data, mostly because they have been under constant attack for a long time. Hackers are very opportunistic, and cyber crime has become big business. Speed counts, and if it is faster just to target the POS system, you better believe that they will. And many times POS systems are set up by an outside computer company that may not be very experienced in setting up these systems.

For 15 years I worked for a computer company that did numerous small business networks and POS systems. Many times we would be called in to fix a network that another company installed. It is amazing what you would run into in the field. Questionable companies would do everything from selling pirated network software to selling enterprise level equipment to mom and pop stores. And to add insult to injury, many times this equipment was not even setup correctly.

One time, a nefarious computer company owner would remote into a client’s network at night and sabotage it. When they called him in a panic the next morning, he would run right over and fix it… For several hundred dollars. They started to get suspicious after this happened several times. An analysis of the remote access logs showed that the computer company owner just happened to log into the system each night before the catastrophic system crashes.

Security monitoring is very important in catching breaches. Companies that monitor their POS systems are much more likely to detect the breach earlier than companies that rely on outside entities for monitoring:

“Our analysis reveals that, on average, a lapse of 156 days occurred between an initial breach and detection of that incident. In other words, a system was infiltrated almost six months prior to detection of the incident,” the report concludes. “Analysis demonstrates that those entities capable of discovering an incident themselves did so within a much shorter timeframe than entities who relied on others to identify the breach. In contrast, those entities that exclusively relied on a third party for detection, or just didn’t detect the problem until a regulatory body did, could take up to five times longer to detect the breach.

So how do you protect yourself against this type of attack? If you are having a POS system installed by someone else, picking a reputable computer company is of paramount importance. Almost anyone can hang a “computer company” sign out front of their office. Look for businesses that are certified in what they do, ask for and check references. Many POS system resellers have authorized installers, ask for them and check into their track record. Monitor your systems for penetration attempts and security breaches. Lastly, do not use default passwords or easily guess-able passwords, an ounce of prevention goes a long way.